LESSON 6
MALWARE
“License for Use” Information
The following lessons and workbooks are open and publicly available under the following
terms and conditions of ISECOM:
All works in the Hacker Highschool project are provided for non-commercial use with
elementary school students, junior high school students, and high school students whether in a
public institution, private institution, or a part of home-schooling. These materials may not be
reproduced for sale in any form. The provision of any class, course, training, or camp with
these materials for which a fee is charged is expressly forbidden without a license including
college classes, university classes, trade-school classes, summer or computer camps, and
similar. To purchase a license, visit the LICENSE section of the Hacker Highschool web page at
www.hackerhighschool.org/license.
The HHS Project is a learning tool and as with any learning tool, the instruction is the influence
of the instructor and not the tool. ISECOM cannot accept responsibility for how any
information herein is applied or abused.
The HHS Project is an open community effort and if you find value in this project, we do ask
you support us through the purchase of a license, a donation, or sponsorship.
All works copyright ISECOM, 2004.
2
LESSON 6 – MALWARE
Table of Contents
“License for Use” Information..................................................................................................................2
Contributors................................................................................................................................................4
6.0 Introduction..........................................................................................................................................5
6.1 Viruses (Virii)..........................................................................................................................................5
6.1.1 Introduction...................................................................................................................................5
6.1.2 Description....................................................................................................................................5
6.1.2.1 Boot Sector Viruses.............................................................................................................5
6.1.2.2 The Executable File Virus....................................................................................................5
6.1.2.3 The Terminate and Stay Resident (TSR) Virus...................................................................6

6.1.2.4 The Polymorphic Virus.........................................................................................................6
6.1.2.5 The Macro Virus...................................................................................................................6
6.2 Worms....................................................................................................................................................7
6.2.1 Introduction...................................................................................................................................7
6.2.2 Description....................................................................................................................................7
6.3 Trojans and Spyware...........................................................................................................................7
6.3.1 Introduction...................................................................................................................................7
6.3.2 Description....................................................................................................................................7
6.4 Rootkits and Backdoors......................................................................................................................8
6.4.1 Introduction...................................................................................................................................8
6.4.2 Description....................................................................................................................................8
6.5 Logicbombs and Timebombs............................................................................................................8
6.5.1 Introduction...................................................................................................................................8
6.5.2 Description....................................................................................................................................9
6.6 Countermeasures................................................................................................................................9
6.6.1 Introduction...................................................................................................................................9
6.6.2 Anti-Virus........................................................................................................................................9
6.6.3 NIDS................................................................................................................................................9
6.6.4 HIDS..............................................................................................................................................10
6.6.5 Firewalls........................................................................................................................................10
6.6.6 Sandboxes...................................................................................................................................10
6.7 Good Safety Advice.........................................................................................................................11
Further Reading........................................................................................................................................12
3
LESSON 6 – MALWARE
Contributors
Simon Biles, Computer Security Online Ltd.
Kim Truett, ISECOM
Pete Herzog, ISECOM
Marta Barceló, ISECOM

4
LESSON 6 – MALWARE
6.0 Introduction
“Malware” are programs or parts of programs that have a malicious ( “Mal” ) or unpleasant
effect on your computer security. This covers many different terms that you may have heard
before, such as “Virus”, “Worm” and “Trojan” and possibly a few that you haven't like
“Rootkit”, “Logicbomb” and “Spyware”. This lesson will introduce, define and explain each of
these subdivisions of malware, will give you examples, and will explain some of the
countermeasures that can be put into place to restrict the problems caused by malware.
6.1 Viruses (Virii)
6.1.1 Introduction
Virus – this is the most common type of malware that people will be aware of. The reason that
it is known as a virus, rather than anything else, is historical. The press ran the stories of the first
computer virus at the same time as articles concerning the spread of AIDS. At the time, there
were simple parallels that could be easily drawn between the two, propagation through
interaction with a contaminated party, the reliance on a host and the ultimate “death” of
anything infected. This resulted, and still does occasionally, in concerns that people could
become “infected” with a computer virus.
6.1.2 Description
Viruses or virii are self-replicating pieces of software that, similar to a biological virus, attach
themselves to another program, or, in the case of “macro viruses”, to another file. The virus is
only run when the program or the file is run or opened. It is this which differentiates viruses from
worms. If the program or file is not accessed in any way, then the virus will not run and will not
copy itself further.
There are a number of types of viruses, although, significantly, the most common form today is
the macro virus, and others, such as the boot sector virus are now only found “in captivity”.
6.1.2.1 Boot Sector Viruses
The boot sector virus was the first type of virus created. It hides itself in the executable
code at the beginning of bootable disks. This meant that in order to infect a machine, you
needed to boot from an infected floppy disk. A long time ago, ( 15 years or so ) booting

from floppy was a relatively regular occurrence, meaning that such viruses were actually
quite well spread by the time that people figured out what was happening. This virus ( and
all other types ) should leave a signature which subsequent infection attempts detect, so
as not to repeatedly infect the same target. It is this signature that allows other software
( such as Anti-Virus-software ) to detect the infection.
6.1.2.2 The Executable File Virus
The Executable File virus attaches itself to files, such as .exe or .com files. Some viruses
would specifically look for programs which were a part of the operating system, and thus
were most likely to be run each time the computer was turned on, increasing their
chances of successful propagation. There were a few ways of adding a virus to an
5
LESSON 6 – MALWARE